diff options
| -rwxr-xr-x | .github/configs | 2 | ||||
| -rw-r--r-- | .github/workflows/c-cpp.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/upstream.yml | 4 | ||||
| -rw-r--r-- | auth-pam.c | 15 | ||||
| -rw-r--r-- | configure.ac | 31 | ||||
| -rw-r--r-- | monitor_wrap.c | 43 | ||||
| -rw-r--r-- | regress/dropbear-ciphers.sh | 15 | ||||
| -rw-r--r-- | regress/dropbear-kex.sh | 14 | ||||
| -rw-r--r-- | regress/misc/fuzz-harness/agent_fuzz_helper.c | 1 | ||||
| -rw-r--r-- | regress/misc/fuzz-harness/kex_fuzz.cc | 8 | ||||
| -rw-r--r-- | regress/misc/fuzz-harness/sig_fuzz.cc | 8 | ||||
| -rw-r--r-- | regress/penalty-expire.sh | 1 | ||||
| -rw-r--r-- | regress/test-exec.sh | 22 | ||||
| -rw-r--r-- | serverloop.c | 6 | ||||
| -rw-r--r-- | srclimit.c | 2 | ||||
| -rw-r--r-- | ssh-add.1 | 12 | ||||
| -rw-r--r-- | ssh-keygen.1 | 20 | ||||
| -rw-r--r-- | ssh-keyscan.1 | 16 | ||||
| -rw-r--r-- | ssh-keysign.8 | 6 | ||||
| -rw-r--r-- | ssh.1 | 21 | ||||
| -rw-r--r-- | ssh_config.5 | 11 | ||||
| -rw-r--r-- | sshd.8 | 9 | ||||
| -rw-r--r-- | sshd_config.5 | 1 |
23 files changed, 124 insertions, 146 deletions
diff --git a/.github/configs b/.github/configs index a34276a0..6134cb6e 100755 --- a/.github/configs +++ b/.github/configs @@ -290,7 +290,7 @@ case "${TARGET_HOST}" in hostkey-agent key-options keyscan knownhosts-command login-timeout reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data - transfer" + transfer penalty penalty-expire" SKIP_LTESTS="$(echo $T)" TEST_TARGET=t-exec SUDO="" diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml index ff510e34..60902870 100644 --- a/.github/workflows/c-cpp.yml +++ b/.github/workflows/c-cpp.yml @@ -17,7 +17,6 @@ jobs: target: - ubuntu-20.04 - ubuntu-22.04 - - macos-11 - macos-12 - macos-13 - macos-14 @@ -102,7 +101,6 @@ jobs: - { target: ubuntu-22.04, config: selinux } - { target: ubuntu-22.04, config: kitchensink } - { target: ubuntu-22.04, config: without-openssl } - - { target: macos-11, config: pam } - { target: macos-12, config: pam } - { target: macos-13, config: pam } - { target: macos-14, config: pam } diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index f0de34d6..e25adb42 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -3,7 +3,7 @@ name: Upstream self-hosted on: push: branches: [ master ] - paths: [ '**.c', '**.h', '.github/configs', '.github/workflows/upstream.yml' ] + paths: [ '**.c', '**.h', '**.sh', '.github/configs', '.github/workflows/upstream.yml' ] jobs: selfhosted: @@ -43,7 +43,7 @@ jobs: - name: make run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" - name: make install - run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install" + run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install && sudo /etc/rc.d/sshd -f restart" - name: make tests` run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" env: @@ -100,6 +100,7 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "srclimit.h" extern ServerOptions options; extern struct sshbuf *loginmsg; @@ -166,13 +167,13 @@ sshpam_sigchld_handler(int sig) return; } } - if (WIFSIGNALED(sshpam_thread_status) && - WTERMSIG(sshpam_thread_status) == SIGTERM) - return; /* terminated by pthread_cancel */ - if (!WIFEXITED(sshpam_thread_status)) - sigdie("PAM: authentication thread exited unexpectedly"); - if (WEXITSTATUS(sshpam_thread_status) != 0) - sigdie("PAM: authentication thread exited uncleanly"); + if (sshpam_thread_status == -1) + return; + if (WIFSIGNALED(sshpam_thread_status)) { + if (signal_is_crash(WTERMSIG(sshpam_thread_status))) + _exit(EXIT_CHILD_CRASH); + } else if (!WIFEXITED(sshpam_thread_status)) + _exit(EXIT_CHILD_CRASH); } /* ARGSUSED */ diff --git a/configure.ac b/configure.ac index 717fef83..5a865f8e 100644 --- a/configure.ac +++ b/configure.ac @@ -2078,8 +2078,12 @@ AC_ARG_WITH([security-key-builtin], enable_dsa= AC_ARG_ENABLE([dsa-keys], - [ --disable-dsa-keys disable DSA key support [no]], - [ enable_dsa="$enableval" ] + [ --enable-dsa-keys enable DSA key support [no]], + [ + if test "x$enableval" != "xno" ; then + enable_dsa=1 + fi + ] ) AC_SEARCH_LIBS([dlopen], [dl]) @@ -3188,8 +3192,9 @@ if test "x$openssl" = "xyes" ; then AC_MSG_RESULT([no]) ] ) + openssl_dsa=no - if test -z "$enable_dsa" || test "x$enable_dsa" = "xyes"; then + if test ! -z "$enable_dsa" ; then AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [ AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [], [ openssl_dsa=yes ], @@ -3199,22 +3204,12 @@ if test "x$openssl" = "xyes" ; then [ #include <openssl/opensslconf.h> ] ) AC_MSG_CHECKING([whether to enable DSA key support]) - if test -z "$enable_dsa"; then - if test "x$openssl_dsa" = "xno"; then - AC_MSG_RESULT([not supported by OpenSSL]) - else - AC_MSG_RESULT([yes]) - AC_DEFINE([WITH_DSA], [1], - [DSA keys enabled by default]) - fi + if test "x$openssl_dsa" = "xno"; then + AC_MSG_ERROR([DSA requested but not supported by OpenSSL]) else - if test "x$openssl_dsa" = "xno"; then - AC_MSG_ERROR([DSA requested but not supported by OpenSSL]) - else - AC_MSG_RESULT([yes]) - AC_DEFINE([WITH_DSA], [1], - [DSA keys explicitly enabled]) - fi + AC_MSG_RESULT([yes]) + AC_DEFINE([WITH_DSA], [1], + [DSA keys explicitly enabled]) fi fi fi diff --git a/monitor_wrap.c b/monitor_wrap.c index d88c33d1..5358c77a 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.135 2024/06/11 02:54:51 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.136 2024/06/19 23:24:47 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -121,24 +121,6 @@ mm_is_monitor(void) return (pmonitor && pmonitor->m_pid > 0); } -void -mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m) -{ - size_t mlen = sshbuf_len(m); - u_char buf[5]; - - debug3_f("entering, type %d", type); - - if (mlen >= 0xffffffff) - fatal_f("bad length %zu", mlen); - POKE_U32(buf, mlen + 1); - buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ - if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) - fatal_f("write: %s", strerror(errno)); - if (atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) - fatal_f("write: %s", strerror(errno)); -} - static void mm_reap(void) { @@ -171,6 +153,29 @@ mm_reap(void) } void +mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m) +{ + size_t mlen = sshbuf_len(m); + u_char buf[5]; + + debug3_f("entering, type %d", type); + + if (mlen >= 0xffffffff) + fatal_f("bad length %zu", mlen); + POKE_U32(buf, mlen + 1); + buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ + if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf) || + atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) { + if (errno == EPIPE) { + debug3_f("monitor fd closed"); + mm_reap(); + cleanup_exit(255); + } + fatal_f("write: %s", strerror(errno)); + } +} + +void mm_request_receive(int sock, struct sshbuf *m) { u_char buf[4], *p = NULL; diff --git a/regress/dropbear-ciphers.sh b/regress/dropbear-ciphers.sh index 2e0f9a1d..1500fa0e 100644 --- a/regress/dropbear-ciphers.sh +++ b/regress/dropbear-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dropbear-ciphers.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $ +# $OpenBSD: dropbear-ciphers.sh,v 1.3 2024/06/20 08:23:18 dtucker Exp $ # Placed in the Public Domain. tid="dropbear ciphers" @@ -7,13 +7,18 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then skip "dropbear interop tests not enabled" fi +# Enable all support algorithms +algs=`$SSH -Q key-sig | tr '\n' ,` cat >>$OBJ/sshd_proxy <<EOD -PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss -HostkeyAlgorithms +ssh-rsa,ssh-dss +PubkeyAcceptedAlgorithms $algs +HostkeyAlgorithms $algs EOD -ciphers=`$DBCLIENT -c help 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '` -macs=`$DBCLIENT -m help 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '` +ciphers=`$DBCLIENT -c help hst 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '` +macs=`$DBCLIENT -m help hst 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '` +if [ -z "$macs" ] || [ -z "$ciphers" ]; then + skip "dbclient query ciphers '$ciphers' or macs '$macs' failed" +fi keytype=`(cd $OBJ/.dropbear && ls id_*)` for c in $ciphers ; do diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh index a25de3ed..d9f1b32c 100644 --- a/regress/dropbear-kex.sh +++ b/regress/dropbear-kex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dropbear-kex.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $ +# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $ # Placed in the Public Domain. tid="dropbear kex" @@ -7,21 +7,19 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then skip "dropbear interop tests not enabled" fi -cat >>$OBJ/sshd_proxy <<EOD -PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss -HostkeyAlgorithms +ssh-rsa,ssh-dss -EOD cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak -kex="curve25519-sha256 curve25519-sha256@libssh.org - diffie-hellman-group14-sha256 diffie-hellman-group14-sha1" +kex="curve25519-sha256 curve25519-sha256@libssh.org" +if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then + kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1" +fi for k in $kex; do verbose "$tid: kex $k" rm -f ${COPY} # dbclient doesn't have switch for kex, so force in server (cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy - env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_rsa 2>$OBJ/dbclient.log \ + env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" diff --git a/regress/misc/fuzz-harness/agent_fuzz_helper.c b/regress/misc/fuzz-harness/agent_fuzz_helper.c index c3051c72..321343bb 100644 --- a/regress/misc/fuzz-harness/agent_fuzz_helper.c +++ b/regress/misc/fuzz-harness/agent_fuzz_helper.c @@ -112,7 +112,6 @@ reset_idtab(void) idtab_init(); // Load keys. add_key(PRIV_RSA, CERT_RSA); - add_key(PRIV_DSA, CERT_DSA); add_key(PRIV_ECDSA, CERT_ECDSA); add_key(PRIV_ED25519, CERT_ED25519); add_key(PRIV_ECDSA_SK, CERT_ECDSA_SK); diff --git a/regress/misc/fuzz-harness/kex_fuzz.cc b/regress/misc/fuzz-harness/kex_fuzz.cc index d38ca859..f126d93f 100644 --- a/regress/misc/fuzz-harness/kex_fuzz.cc +++ b/regress/misc/fuzz-harness/kex_fuzz.cc @@ -144,7 +144,6 @@ static int prepare_keys(struct shared_state *st) { if (prepare_key(st, KEY_RSA, 2048) != 0 || - prepare_key(st, KEY_DSA, 1024) != 0 || prepare_key(st, KEY_ECDSA, 256) != 0 || prepare_key(st, KEY_ED25519, 256) != 0) { error_f("key prepare failed"); @@ -264,10 +263,6 @@ prepare_key(struct shared_state *st, int kt, int bits) pubstr = PUB_RSA; privstr = PRIV_RSA; break; - case KEY_DSA: - pubstr = PUB_DSA; - privstr = PRIV_DSA; - break; case KEY_ECDSA: pubstr = PUB_ECDSA; privstr = PRIV_ECDSA; @@ -325,7 +320,7 @@ int main(void) { static struct shared_state *st; struct test_state *ts; - const int keytypes[] = { KEY_RSA, KEY_DSA, KEY_ECDSA, KEY_ED25519, -1 }; + const int keytypes[] = { KEY_RSA, KEY_ECDSA, KEY_ED25519, -1 }; static const char * const kextypes[] = { "sntrup761x25519-sha512@openssh.com", "curve25519-sha256@libssh.org", @@ -399,7 +394,6 @@ static void do_kex(struct shared_state *st, struct test_state *ts, const char *kex) { do_kex_with_key(st, ts, kex, KEY_RSA); - do_kex_with_key(st, ts, kex, KEY_DSA); do_kex_with_key(st, ts, kex, KEY_ECDSA); do_kex_with_key(st, ts, kex, KEY_ED25519); } diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc index b32502ba..639e4d22 100644 --- a/regress/misc/fuzz-harness/sig_fuzz.cc +++ b/regress/misc/fuzz-harness/sig_fuzz.cc @@ -26,7 +26,6 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) { #ifdef WITH_OPENSSL static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048); - static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024); static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); @@ -41,19 +40,20 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; - sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); - sshkey_sig_details_free(details); - details = NULL; + sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; + sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; + sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; #endif + sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); return 0; diff --git a/regress/penalty-expire.sh b/regress/penalty-expire.sh index 30b7bd45..4f0bbe63 100644 --- a/regress/penalty-expire.sh +++ b/regress/penalty-expire.sh @@ -24,6 +24,7 @@ verbose "penalty expiry" # Incur a penalty cat /dev/null > $OBJ/authorized_keys_${USER} ${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded" +sleep 2 # Check denied cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} diff --git a/regress/test-exec.sh b/regress/test-exec.sh index e483bc2a..7afc2807 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.115 2024/06/11 01:58:27 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.119 2024/06/20 08:18:34 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -846,15 +846,25 @@ esac if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then trace Create dropbear keys and add to authorized_keys mkdir -p $OBJ/.dropbear - for i in rsa ecdsa ed25519 dss; do + kt="ed25519" + for i in dss rsa ecdsa; do + if $SSH -Q key-plain | grep "$i" >/dev/null; then + kt="$kt $i" + else + rm -f "$OBJ/.dropbear/id_$i" + fi + done + for i in $kt; do if [ ! -f "$OBJ/.dropbear/id_$i" ]; then - ($DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i - $DROPBEARCONVERT dropbear openssh \ - $OBJ/.dropbear/id_$i $OBJ/.dropbear/ossh.id_$i - ) > /dev/null 2>&1 + verbose Create dropbear key type $i + $DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i \ + >/dev/null 2>&1 fi + $DROPBEARCONVERT dropbear openssh $OBJ/.dropbear/id_$i \ + $OBJ/.dropbear/ossh.id_$i >/dev/null 2>&1 $SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \ >>$OBJ/authorized_keys_$USER + rm -f $OBJ/.dropbear/id_$i.pub $OBJ/.dropbear/ossh.id_$i done fi diff --git a/serverloop.c b/serverloop.c index 4eabfced..757cc6f0 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.239 2024/05/17 00:30:24 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.240 2024/06/17 08:28:31 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -266,11 +266,11 @@ process_input(struct ssh *ssh, int connection_in) if (errno == EAGAIN || errno == EINTR || errno == EWOULDBLOCK) return 0; if (errno == EPIPE) { - verbose("Connection closed by %.100s port %d", + logit("Connection closed by %.100s port %d", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); return -1; } - verbose("Read error from remote host %s port %d: %s", + logit("Read error from remote host %s port %d: %s", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), strerror(errno)); cleanup_exit(255); @@ -405,7 +405,7 @@ srclimit_penalise(struct xaddr *addr, int penalty_type) penalty_cfg.overflow_mode : penalty_cfg.overflow_mode6; npenaltiesp = addr->af == AF_INET ? &npenalties4 : &npenalties6; t = addr->af == AF_INET ? "ipv4" : "ipv6"; - if (*npenaltiesp > (size_t)max_sources && + if (*npenaltiesp >= (size_t)max_sources && overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) { verbose_f("%s penalty table full, cannot penalise %s for %s", t, addrnetmask, reason); @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.86 2023/12/19 06:57:34 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.87 2024/06/17 08:30:29 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 19 2023 $ +.Dd $Mdocdate: June 17 2024 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -67,10 +67,9 @@ When run without arguments, it adds the files .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , -.Pa ~/.ssh/id_ed25519 , -.Pa ~/.ssh/id_ed25519_sk , +.Pa ~/.ssh/id_ed25519 and -.Pa ~/.ssh/id_dsa . +.Pa ~/.ssh/id_ed25519_sk . After loading a private key, .Nm will try to load corresponding certificate information from the @@ -314,13 +313,12 @@ the built-in USB HID support. .El .Sh FILES .Bl -tag -width Ds -compact -.It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa .It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_rsa -Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +Contains the ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA authentication identity of the user. .El .Pp diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c392141e..df6803fd 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.230 2023/09/04 10:29:58 job Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.232 2024/06/17 13:50:18 naddy Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 4 2023 $ +.Dd $Mdocdate: June 17 2024 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -51,7 +51,7 @@ .Op Fl m Ar format .Op Fl N Ar new_passphrase .Op Fl O Ar option -.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa +.Op Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa .Op Fl w Ar provider .Op Fl Z Ar cipher .Nm ssh-keygen @@ -205,7 +205,6 @@ section for details. Normally each user wishing to use SSH with public key authentication runs this once to create the authentication key in -.Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , .Pa ~/.ssh/id_ed25519 , @@ -296,7 +295,6 @@ Show the bubblebabble digest of specified private or public key file. Specifies the number of bits in the key to create. For RSA keys, the minimum size is 1024 bits and the default is 3072 bits. Generally, 3072 bits is considered sufficient. -DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the .Fl b flag determines the key length by selecting from one of three elliptic @@ -414,9 +412,8 @@ section. Prints the contents of one or more certificates. .It Fl l Show fingerprint of specified public key file. -For RSA and DSA keys .Nm -tries to find the matching public key file and prints its fingerprint. +will try to find the matching public key file and prints its fingerprint. If combined with .Fl v , a visual ASCII art representation of the key is supplied with the @@ -579,10 +576,9 @@ by key ID or serial number. See the .Sx KEY REVOCATION LISTS section for details. -.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa +.It Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa Specifies the type of key to create. The possible values are -.Dq dsa , .Dq ecdsa , .Dq ecdsa-sk , .Dq ed25519 , @@ -1290,13 +1286,12 @@ the built-in USB HID support. .El .Sh FILES .Bl -tag -width Ds -compact -.It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa .It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_rsa -Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +Contains the ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -1308,13 +1303,12 @@ but it is offered as the default file for the private key. .Xr ssh 1 will read this file when a login attempt is made. .Pp -.It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub .It Pa ~/.ssh/id_ecdsa_sk.pub .It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_ed25519_sk.pub .It Pa ~/.ssh/id_rsa.pub -Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +Contains the ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA public key for authentication. The contents of this file should be added to .Pa ~/.ssh/authorized_keys diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index df4fb6ca..79cef300 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.51 2024/06/14 05:20:34 jmc Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.52 2024/06/17 08:30:29 djm Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: June 14 2024 $ +.Dd $Mdocdate: June 17 2024 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -130,7 +130,6 @@ The default is 5 seconds. .It Fl t Ar type Specify the type of the key to fetch from the scanned hosts. The possible values are -.Dq dsa , .Dq ecdsa , .Dq ed25519 , .Dq ecdsa-sk , @@ -138,14 +137,7 @@ The possible values are or .Dq rsa . Multiple values may be specified by separating them with commas. -The default is to fetch -.Dq rsa , -.Dq ecdsa , -.Dq ed25519 , -.Dq ecdsa-sk , -and -.Dq ed25519-sk -keys. +The default is to fetch all the above key types. .It Fl v Verbose mode: print debugging messages about progress. @@ -177,7 +169,7 @@ Find all hosts from the file which have new or different keys from those in the sorted file .Pa ssh_known_hosts : .Bd -literal -offset indent -$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e +$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \e sort -u - ssh_known_hosts | diff ssh_known_hosts - .Ed .Sh SEE ALSO diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 6b4b9b27..3b4d35b0 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.18 2024/06/17 08:30:29 djm Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 31 2022 $ +.Dd $Mdocdate: June 17 2024 $ .Dt SSH-KEYSIGN 8 .Os .Sh NAME @@ -61,7 +61,6 @@ Controls whether .Nm is enabled. .Pp -.It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key .It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key @@ -73,7 +72,6 @@ Since they are readable only by root, .Nm must be set-uid root if host-based authentication is used. .Pp -.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub .It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.440 2024/05/26 20:35:12 naddy Exp $ -.Dd $Mdocdate: May 26 2024 $ +.\" $OpenBSD: ssh.1,v 1.441 2024/06/17 08:30:29 djm Exp $ +.Dd $Mdocdate: June 17 2024 $ .Dt SSH 1 .Os .Sh NAME @@ -304,10 +304,9 @@ The default is .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , -.Pa ~/.ssh/id_ed25519 , -.Pa ~/.ssh/id_ed25519_sk +.Pa ~/.ssh/id_ed25519 and -.Pa ~/.ssh/id_dsa . +.Pa ~/.ssh/id_ed25519_sk . Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple @@ -929,10 +928,10 @@ key pair for authentication purposes. The server knows the public key, and only the user knows the private key. .Nm implements public key authentication protocol automatically, -using one of the DSA, ECDSA, Ed25519 or RSA algorithms. +using one of the ECDSA, Ed25519 or RSA algorithms. The HISTORY section of .Xr ssl 8 -contains a brief discussion of the DSA and RSA algorithms. +contains a brief discussion of the RSA and ECDSA algorithms. .Pp The file .Pa ~/.ssh/authorized_keys @@ -959,8 +958,6 @@ flag). The user creates their key pair by running .Xr ssh-keygen 1 . This stores the private key in -.Pa ~/.ssh/id_dsa -(DSA), .Pa ~/.ssh/id_ecdsa (ECDSA), .Pa ~/.ssh/id_ecdsa_sk @@ -973,8 +970,6 @@ or .Pa ~/.ssh/id_rsa (RSA) and stores the public key in -.Pa ~/.ssh/id_dsa.pub -(DSA), .Pa ~/.ssh/id_ecdsa.pub (ECDSA), .Pa ~/.ssh/id_ecdsa_sk.pub @@ -1556,7 +1551,7 @@ secret, but the recommended permissions are read/write/execute for the user, and not accessible by others. .Pp .It Pa ~/.ssh/authorized_keys -Lists the public keys (DSA, ECDSA, Ed25519, RSA) +Lists the public keys (ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 @@ -1576,7 +1571,6 @@ Contains additional definitions for environment variables; see .Sx ENVIRONMENT , above. .Pp -.It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa .It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ed25519 @@ -1592,7 +1586,6 @@ It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using AES-128. .Pp -.It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub .It Pa ~/.ssh/id_ecdsa_sk.pub .It Pa ~/.ssh/id_ed25519.pub diff --git a/ssh_config.5 b/ssh_config.5 index 0f8dddcb..2e190228 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.395 2024/06/14 05:01:22 djm Exp $ -.Dd $Mdocdate: June 14 2024 $ +.\" $OpenBSD: ssh_config.5,v 1.396 2024/06/17 08:30:29 djm Exp $ +.Dd $Mdocdate: June 17 2024 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1114,7 +1114,7 @@ section and environment variables as described in the .Sx ENVIRONMENT VARIABLES section. .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, +Specifies a file from which the user's ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read. You can also specify a public key file to use the corresponding private key that is loaded in @@ -1124,10 +1124,9 @@ The default is .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , -.Pa ~/.ssh/id_ed25519 , -.Pa ~/.ssh/id_ed25519_sk +.Pa ~/.ssh/id_ed25519 and -.Pa ~/.ssh/id_dsa . +.Pa ~/.ssh/id_ed25519_sk . Additionally, any identities represented by the authentication agent will be used for authentication unless .Cm IdentitiesOnly @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.325 2023/09/19 20:37:07 deraadt Exp $ -.Dd $Mdocdate: September 19 2023 $ +.\" $OpenBSD: sshd.8,v 1.326 2024/06/17 08:30:29 djm Exp $ +.Dd $Mdocdate: June 17 2024 $ .Dt SSHD 8 .Os .Sh NAME @@ -465,8 +465,6 @@ sk-ssh-ed25519@openssh.com .It ssh-ed25519 .It -ssh-dss -.It ssh-rsa .El |